367610 matches found
CVE-2026-64186 iommu/amd: Remove latent out-of-bounds access in IOMMU debugfs
In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Remove latent out-of-bounds access in IOMMU debugfs In iommummiowrite and iommucapabilitywrite, the variables dbgmmiooffset and dbgcapoffset are declared as int. However, they are populated using kstrtou32fromuser. If ...
CVE-2026-64185 sysfs: don't remove existing directory on update failure
In the Linux kernel, the following vulnerability has been resolved: sysfs: don't remove existing directory on update failure When sysfsupdategroup is called for a named group and createfiles fails e.g. -ENOMEM, internalcreategroup calls kernfsremovekn on the group directory. In the update path, k...
CVE-2026-64184 mm/damon/sysfs-schemes: call missing mem_cgroup_iter_break()
In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs-schemes: call missing memcgroupiterbreak damonsysfsmemcgpathtoid breaks memcgroupiter loop without calling memcgroupiterbreak. This leaks the cgroup reference. Fix the issue by calling memcgroupiterbreak before the...
CVE-2026-64182 drivers/base/memory: fix memory block reference leak in poison accounting
In the Linux kernel, the following vulnerability has been resolved: drivers/base/memory: fix memory block reference leak in poison accounting memblknrpoisoninc and memblknrpoisonsub look up a memory block via findmemoryblockbyid, which acquires a reference to the memory block device. Both helpers...
CVE-2026-64183 efi: Allocate runtime workqueue before ACPI init
In the Linux kernel, the following vulnerability has been resolved: efi: Allocate runtime workqueue before ACPI init Since commit 5894cf571e14 "acpi/prmt: Use EFI runtime sandbox to invoke PRM handlers" ACPI PRM calls are delegated to a workqueue which runs in a kernel thread, making it easier to...
CVE-2026-64181 mm: fix __vm_normal_page() to handle missing support for pmd_special()/pud_special()
In the Linux kernel, the following vulnerability has been resolved: mm: fix vmnormalpage to handle missing support for pmdspecial/pudspecial On x86 32-bit with THP enabled, zaphugepmd is seen to generate a "WARNING: mm/memory.c:735 at vmnormalpage+0x6a/0x7d", from the VMWARNONONCEiszeropfnpfn ||...
CVE-2026-64179 net: wwan: iosm: fix potential memory leaks in ipc_imem_init()
In the Linux kernel, the following vulnerability has been resolved: net: wwan: iosm: fix potential memory leaks in ipcimeminit The memory allocated in ipcprotocolinit is not freed on the error paths that follow in ipcimeminit. Fix that by calling the corresponding release function ipcprotocoldein...
CVE-2026-64180 mm/memory_hotplug: fix memory block reference leak on remove
In the Linux kernel, the following vulnerability has been resolved: mm/memoryhotplug: fix memory block reference leak on remove Patch series "mm: Fix memory block leaks and locking", v2. This series fixes two memory block device reference leaks and one locking issue around the per-memoryblock...
CVE-2026-64178 Bluetooth: bnep: Fix UAF read of dev->name
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bnep: Fix UAF read of dev-name bnepaddconnection needs to keep holding the bnepsessionsem while reading dev-name just like bnepgetconnlist does; otherwise the bnepsession thread can concurrently free the netdevice, whi...
CVE-2026-64177 phonet/pep: disable BH around forwarded sk_receive_skb()
In the Linux kernel, the following vulnerability has been resolved: phonet/pep: disable BH around forwarded skreceiveskb The networking receive path is usually run from softirq context, but protocols that take the socket lock may have packets stored in the backlog and processed later from process...
CVE-2026-64175 wifi: iwlwifi: mld: stop TX during firmware restart
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mld: stop TX during firmware restart When iwlwifi firmware crashes e.g., NMIINTERRUPTUNKNOWN on Intel BE201/Wi-Fi 7, iwlmldnicerror sets mld-fwstatus.inhwrestart to true. However, iwlmldtxfromtxq does not check thi...
CVE-2026-64176 wifi: iwlwifi: mvm: fix driver-set TX rates on old devices
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: fix driver-set TX rates on old devices On old devices such as 7265D, rates are still encoded in version 1 format, which doesn't use the CCK/OFDM rate index 0-3/0-7 but rather their PLCP value e.g. 10 for 1 Mbp...
CVE-2026-64174 wifi: cfg80211: advance loop vars in cfg80211_merge_profile()
In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: advance loop vars in cfg80211mergeprofile cfg80211mergeprofile reassembles a Multi-BSSID non-transmitted BSS profile that has been split across multiple consecutive MBSSID elements. Its while-loop calls...
CVE-2026-64173 tracing: Do not call map->ops->elt_free() if elt_alloc() fails
In the Linux kernel, the following vulnerability has been resolved: tracing: Do not call map-ops-eltfree if eltalloc fails In paths where tracingmapeltalloc failed to allocate objects, the map-ops-eltalloc call was never successful. In this case, map-ops-eltfree should not be called...
CVE-2026-64172 KVM: SVM: Disable AVIC IPI virtualization on Hygon Family 18h (erratum #1235)
In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Disable AVIC IPI virtualization on Hygon Family 18h erratum 1235 Hygon Family 18h CPUs are derived from AMD Family 17h Zen1 silicon and share the same erratum 1235: hardware may read a stale IsRunning=1 bit during ICR...
CVE-2026-64171 i2c: tegra: fix pm_runtime leak on mutex_lock failure
In the Linux kernel, the following vulnerability has been resolved: i2c: tegra: fix pmruntime leak on mutexlock failure If tegrai2cmutexlock fails, the function returns without calling pmruntimeput, leaking the runtime PM reference acquired by the preceding pmruntimegetsync. This prevents the...
CVE-2026-64169 spi: ep93xx: fix error pointer deref after DMA setup failure
In the Linux kernel, the following vulnerability has been resolved: spi: ep93xx: fix error pointer deref after DMA setup failure The driver falls back to PIO mode if DMA setup fails during probe. Make sure to the clear the DMA channel pointers on setup failure to avoid dereferencing an error...
CVE-2026-64170 spi: qup: fix error pointer deref after DMA setup failure
In the Linux kernel, the following vulnerability has been resolved: spi: qup: fix error pointer deref after DMA setup failure The driver falls back to PIO mode if DMA setup fails during probe. Make sure to the clear the DMA channel pointers on setup failure to avoid dereferencing an error pointer...
CVE-2026-64167 kho: skip KHO for crash kernel
In the Linux kernel, the following vulnerability has been resolved: kho: skip KHO for crash kernel khofillkimage unconditionally populates the kimage with KHO metadata for every kexec image type. When the image is a crash kernel, this can be problematic as the crash kernel can run in a small...
CVE-2026-64168 spi: sprd: fix error pointer deref after DMA setup failure
In the Linux kernel, the following vulnerability has been resolved: spi: sprd: fix error pointer deref after DMA setup failure The driver falls back to PIO mode if DMA setup fails during probe. Make sure to check the dma.enabled flag before trying to release the DMA channels also on late probe...
CVE-2026-64166 firmware: arm_ffa: Check for NULL FF-A ID table while driver registration
In the Linux kernel, the following vulnerability has been resolved: firmware: armffa: Check for NULL FF-A ID table while driver registration The bus match callback assumes that every FF-A driver provides an idtable and dereferences it unconditionally. Enforce that contract at registration time so...
CVE-2026-64165 ARM: integrator: Fix early initialization
In the Linux kernel, the following vulnerability has been resolved: ARM: integrator: Fix early initialization Starting with commit bdb249fce9ad4 "ARM: integrator: read counter using syscon/regmap", intcpinitearly calls sysconregmaplookupbycompatible which in turn calls ofsysconregister. This...
CVE-2026-64164 btrfs: tracepoints: fix sleep while in atomic context in btrfs_sync_file()
In the Linux kernel, the following vulnerability has been resolved: btrfs: tracepoints: fix sleep while in atomic context in btrfssyncfile The trace event btrfssyncfile is called in an atomic context all trace events are and its call to dput, which is needed due to the call to dgetparent, can...
CVE-2026-64163 test_kprobes: clear kprobes between test runs
In the Linux kernel, the following vulnerability has been resolved: testkprobes: clear kprobes between test runs Running the kprobes sanity tests twice makes all tests fail and eventually crashes the kernel. root@martin-riscv-1 echo 1 /sys/kernel/debug/kunit/kprobestest/run ... Totals: pass:5...
CVE-2026-64162 idpf: fix read_dev_clk_lock spinlock init in idpf_ptp_init()
In the Linux kernel, the following vulnerability has been resolved: idpf: fix readdevclklock spinlock init in idpfptpinit In idpfptpinit, readdevclklock is initialized after ptpscheduleworker had already been called and after idpfptpsettime64 could reach the lock. The PTP aux worker fires...
CVE-2026-64161 net: ti: icssm-prueth: fix eth_ports_node leak in probe
In the Linux kernel, the following vulnerability has been resolved: net: ti: icssm-prueth: fix ethportsnode leak in probe The error path on ofpropertyreadu32 failure inside icssmpruethprobe returns without putting ethportsnode, which was acquired before the foreachchildofnode loop. Drop it before...
CVE-2026-64160 netfs: Fix potential for tearing in ->remote_i_size and ->zero_point
In the Linux kernel, the following vulnerability has been resolved: netfs: Fix potential for tearing in -remoteisize and -zeropoint Fix potential tearing in using -remoteisize and -zeropoint by copying isizeread and isizewrite and using the same seqcount as for isize. We need to make sure that...
CVE-2026-64159 netfs: Fix zeropoint update where i_size > remote_i_size
In the Linux kernel, the following vulnerability has been resolved: netfs: Fix zeropoint update where isize remoteisize Fix the update of the zero point by netfsreleasefolio when there is uncommitted data in the pagecache beyond the folio being released but the on-server EOF is in this folio ie...
CVE-2026-64158 netfs: Fix write streaming disablement if fd open O_RDWR
In the Linux kernel, the following vulnerability has been resolved: netfs: Fix write streaming disablement if fd open ORDWR In netfsperformwrite, "write streaming" the caching of dirty data in dirty but !uptodate folios is performed to avoid the need to read data that is just going to get...
CVE-2026-64156 netfs, afs: Fix write skipping in dir/link writepages
In the Linux kernel, the following vulnerability has been resolved: netfs, afs: Fix write skipping in dir/link writepages Fix netfswritesingle and afssinglewritepages to better handle a write that would be skipped due to lock contention and WBSYNCNONE by returning 1 from netfswritesingle if it...
CVE-2026-64157 netfs: Fix partial invalidation of streaming-write folio
In the Linux kernel, the following vulnerability has been resolved: netfs: Fix partial invalidation of streaming-write folio In netfsinvalidatefolio, if the region of a partial invalidation overlaps the front but not all of a dirty write cached in a streaming write page dirty, but not uptodate,...
CVE-2026-64155 wifi: ath11k: fix error path leaks in some WMI WOW calls
In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix error path leaks in some WMI WOW calls Fix two instances where we used to directly return the result of ath11kwmicmdsend.... Because we did not check the return value, we also did not free the skb in the error...
CVE-2026-64153 drm/msm: Fix iommu_map_sgtable() return value check and avoid WARN
In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix iommumapsgtable return value check and avoid WARN Commit "iommu: return full error code from iommumapsgatomic" changed iommumapsgtable to return an ssizet and negative values in error cases, rather than a sizet and a...
CVE-2026-64154 drm/msm/adreno: Fix a reference leak in a6xx_gpu_init()
In the Linux kernel, the following vulnerability has been resolved: drm/msm/adreno: Fix a reference leak in a6xxgpuinit In a6xxgpuinit, node is obtained via ofparsephandle. While there was a manual ofnodeput at the end of the common path, several early error returns would bypass this call,...
CVE-2026-64152 iommu: Handle unmap error when iommu_debug is enabled
In the Linux kernel, the following vulnerability has been resolved: iommu: Handle unmap error when iommudebug is enabled Sashiko noticed a latent bug where the map error flow called iommuunmap which calls iommudebugunmapbegin/iommudebugunmapend however since this is an error path the map flow nev...
CVE-2026-64150 netfilter: nft_inner: release local_lock before re-enabling softirqs
In the Linux kernel, the following vulnerability has been resolved: netfilter: nftinner: release locallock before re-enabling softirqs Quoting sashiko: In the error path, localbhenable is called before localunlocknestedbh...
CVE-2026-64151 iommupt: Check for missing PAGE_SIZE in the pgsize_bitmap
In the Linux kernel, the following vulnerability has been resolved: iommupt: Check for missing PAGESIZE in the pgsizebitmap Sashiko pointed out that the driver could drop PAGESIZE from the pgsizebitmap. That is technically allowed but nothing does it, and such an iommudomain would not be used wit...
CVE-2026-64149 dma-mapping: move dma_map_resource() sanity check into debug code
In the Linux kernel, the following vulnerability has been resolved: dma-mapping: move dmamapresource sanity check into debug code dmamapresource uses pfnvalid to ensure the range is not RAM. However, pfnvalid only checks for availability of the memory map for a PFN but it does not ensure that the...
CVE-2026-64147 pds_core: fix debugfs_lookup dentry leak and error handling
In the Linux kernel, the following vulnerability has been resolved: pdscore: fix debugfslookup dentry leak and error handling debugfslookup returns a dentry with an elevated reference count that must be released with dput. The current code discards the returned dentry without calling dput, causin...
CVE-2026-64148 pds_core: fix error handling in pdsc_devcmd_wait
In the Linux kernel, the following vulnerability has been resolved: pdscore: fix error handling in pdscdevcmdwait Fix two cases where pdscdevcmdwait returns stale success from the completion register instead of an error: 1. FW crash: If firmware stops running, the wait loop breaks early with...
CVE-2026-64146 erofs: fix metabuf leak in inode xattr initialization
In the Linux kernel, the following vulnerability has been resolved: erofs: fix metabuf leak in inode xattr initialization commit bb88e8da0025 "erofs: use meta buffers for xattr operations" converted xattr operations to use on-stack erofsbuf instances. erofsinitinodexattrs uses such a metabuf whil...
CVE-2026-64144 Bluetooth: btmtk: fix urb->setup_packet leak in error paths
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btmtk: fix urb-setuppacket leak in error paths The setuppacket of control urb is not freed if usbsubmiturb fails or the submitted urb is killed. Add free in these two paths...
CVE-2026-64145 wifi: wilc1000: fix dma_buffer leak on bus acquire failure
In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: fix dmabuffer leak on bus acquire failure wilcwlanfirmwaredownload allocates dmabuffer with kmalloc at the top of the function and uses a 'fail:' label to free it via kfreedmabuffer on error. All later error paths...
CVE-2026-64143 platform/x86: uniwill-laptop: Do not enable the charging limit even when forced
In the Linux kernel, the following vulnerability has been resolved: platform/x86: uniwill-laptop: Do not enable the charging limit even when forced It seems that on some older models 2020 the battery charging limit can permanently damage the battery. Prevent users from enabling this feature thru...
CVE-2026-64142 ksmbd: close durable scavenger races against m_fp_list lookups
In the Linux kernel, the following vulnerability has been resolved: ksmbd: close durable scavenger races against mfplist lookups ksmbddurablescavenger has two related races against any walker that iterates fci-mfplist, including ksmbdlookupfdinode used by ksmbdvfsrename and the share-mode checks ...
CVE-2026-64140 ksmbd: fix null pointer dereference in proc_show_files()
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix null pointer dereference in procshowfiles When a SMB2 client opens a file with a durable v2 handle and then issues SMB2 SESSIONLOGOFF, sessionfdcheck clears fp-tcon = NULL on the reconnectable file pointer but leaves t...
CVE-2026-64141 ksmbd: fix null pointer dereference in compare_guid_key()
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix null pointer dereference in compareguidkey sessionfdcheck walks the per-inode moplist during durable-handle session teardown and sets op-conn = NULL for every opinfo whose conn matched the closing session's connection...
CVE-2026-64139 ksmbd: fix SID memory leak in set_posix_acl_entries_dacl() on overflow
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix SID memory leak in setposixaclentriesdacl on overflow Commit 299f962c0b02 "ksmbd: use checkaddoverflow to prevent u16 DACL size overflow" added checkaddoverflow guards that break out of the ACE-building loops in...
CVE-2026-64137 smb: client: require net admin for CIFS SWN netlink
In the Linux kernel, the following vulnerability has been resolved: smb: client: require net admin for CIFS SWN netlink CIFSGENLCMDSWNNOTIFY is the userspace witness-notify command. The intended sender is the cifs.witness helper, but the generic-netlink operation currently has no capability flag,...
CVE-2026-64138 ksmbd: validate SID in parent security descriptor during ACL inheritance
In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate SID in parent security descriptor during ACL inheritance Introduce smbvalidatentsdsid helper to safely validate Owner SID and Group SID inside the NT Security Descriptor smbntsd retrieved from the parent directory...